The Personal Data Authority (AP) recently released a report analyzing key privacy trends and developments in the Dutch education sector. This report provides insight into the progress and challenges educational institutions are experiencing in complying with the General Data Protection Regulation (GDPR).
FileFactory is the solution to quickly and easily find and delete information in documents and student files. Benefits for educational institutions include: one-time turnkey project to clean up all historical documents, structural clean up of all new documents and industry-leading OCR technology. To learn more about FileFactory, request a demo and download the brochure below.
Key trends and challenges
Social challenges and personal data
Educational institutions face societal challenges such as learners’ psychological well-being, safety and equity. Processing personal data is often necessary in these topics, but institutions frequently struggle with whether there is a legal basis for these processing operations, especially when sensitive data is involved.
Rise of algorithms and AI
The integration of algorithms and AI into education presents tremendous opportunities, but also risks such as bias, loss of control over personal data and ethical issues. The AP emphasizes the importance of policy strategies and control processes to responsibly implement these technologies. Increasing knowledge about AI within educational institutions is also seen as crucial.
Challenges of shadow ICT
Shadow IT, where teachers and students use various apps and software outside the official IT structure, poses a major challenge. This makes it difficult for educational institutions to keep track of all data processing and poses risks to the privacy of data subjects.
Lack of clarity around research data
There is much ambiguity surrounding the use of research data, particularly around anonymization and reuse of data for new research. National and international collaborations add additional complexity to GDPR compliance.
Developments
Since the recent cyberattacks, the focus on information security and privacy in education has increased dramatically. Earlier, the AP advised the ministers of Education, Culture and Science (OCW) to take a coordinating role in data protection within education and to conduct Data Protection Impact Assessments (DPIAs) on commonly used digital assets. And also, the OCW ministers announced their intention to increase digital security in education and research.
In collaboration with SURF, the privacy assessment framework will be further developed for higher education and MBO, allowing institutions to determine their level of maturity in data protection. There is no requirement to meet a certain level, but the mbo is considering setting an ambition level.
There are concerns about whether smaller educational institutions have the resources to meet these standards frameworks. Collaborative organizations such as SURF/SIVON offer practical support, but it remains a challenge.
Increase in collaboration
There has been an increase in collaboration to jointly organize GDPR compliance. This includes developing common services to reduce burdens on small institutions, support in reviewing processor agreements, conducting DPIAs on software applications and developing a Computer Emergency Response Team (CERT). There are also concerns about the power of large (inter)national vendors in digitized education and establishing adequate data protection safeguards.
Education sector self-assessment
The AP notes that the education sector is generally positive about GDPR compliance, but there are challenges such as time, money and capacity constraints. Large institutions are usually further along in their privacy compliance than smaller institutions. While there is progress in leadership, risk assessments and transparency, policy implementation and self-monitoring remain challenges.
Also read: Pupil data also of interest to hackers
Conclusions and future focus
The AP concludes that the basis for GDPR compliance is improving but still needs improvement. Key concerns include awareness, workplace policies and data minimization. The AP emphasizes that education is the ideal place to impart knowledge about safe handling of digital technology.
For the future, the AP is focused on overseeing the use of algorithms and AI, developing further guidelines on the processing of personal data for research, and monitoring cross-sector data sharing. Despite limited resources and capacity, monitoring online learner protection remains a challenge.
The education sector has taken significant steps to improve privacy compliance, but work remains to be done. Increased cooperation and self-regulation are positive developments, but continued efforts are needed to further strengthen privacy protection in education.